Consent and Cookies: How Will the ePrivacy Directive Change Online Business Practices?

The Online Trust Alliance hosted a webinar this week to consider how companies are preparing for the European Union’s new “ePrivacy Directive”. The 2009 amendment is set to be implemented in the United Kingdom on May 26th and will influence on-line companies’ ability to access and collect user information. In particular, the Directive will change information practices for companies who provide services to users within the EU by requiring that “the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information”.

The new formulation of “consent” has led some companies to wonder whether they can rely on implied user consent or must obtain explicit user consent before collecting or accessing data on a user’s terminal equipment. Implied consent suggests that tools like browser settings, which can be set to allow for behavioral tracking, suffice in establishing a user’s willingness to provide information. Explicit consent, by contrast, refers to a situation in which users must allow their data to be collected through express action before their information can be collected.

Colin O’Malley, Chief Strategy Officer at Evidon, indicates that a company’s consent-procurement responsibilities depend on which EU Member State it is based in. This is because the ePrivacy directive has been, and will continue to be implemented differently across member states. For example, France and Greece already require opt-in (explicit) consent to be obtained by companies while the UK and Germany consider that consent can be established using browser settings (implied). These laws vary further when a cookie is used (a tool used to store information on a user’s computer) depending on the purpose of that cookie.

Differences in member state implementation have led to some operational confusion among companies.

Mr. O’Malley corrects some broad misunderstandings regarding consent requirements in the EU to clarify potential compliance issues. First, despite being nicknamed “the cookie directive”, the ePrivacy Directive does not only affect the use of website cookies. Instead, the Directive’s provision on consent applies to all collection practices that store or access data on a user’s terminal equipment.

Second, the use of a separate ‘pop-up’ window is not necessary to gain explicit consent from users, in most cases consent buttons can be placed directly on a webpage. Finally, the amended Directive does not explicitly state that companies must obtain consent before setting a browser cookie; this is an interpretation that has emerged because cookies are commonly used for data collection purposes.

Mr. O’Malley suggests four steps to ensuring that your company is compliant or can become compliant with the EU legal regime.

First, “audit your website”. This means that you know what is on your site: who is using your site to collect information, what information they are collecting, and with what frequency they are collecting the information. Second, “assess intrusiveness” of the technology used (cookies, flash, etc.), whether it can be easily identified by users, and whether data collection is actually necessary.

Third, “determine your consent strategy” by identifying the implications of data collection. This will, for example, require you to consider the usefulness of data versus the intrusiveness of collection. Some sectors or business models consider data collection as an operational imperative (e.g. ad supported businesses) while others can suffer from overly intrusive collection practices. Finally, the amount of overhead that you are willing to dedicate to maintaining your consent policy will influence your strategy. Some businesses will be willing to carry a higher risk of non-compliance to limit internal technology costs.

Fourth, “deploy your consent model”. Your model should accommodate your company’s compliance needs and available resources. While this can be developed internally, you can consider using a technology provider who will be more familiar with the data-collection landscape. Finally, consider restricting your data collection practices (in addition to those of third parties) because they are also subject to the Directive’s provisions.

Mr. O’Malley asserts that there are currently no examples of consent that follow “the letter of the law” as laid out in the ePrivacy Directive. This means that companies will need to rework their consent strategies as member states continue to implement the ePrivacy Directive. Website operators will find it increasingly difficult to use ‘cookies’ and other forms of terminal-based data collection, leading to industry concerns about how the ePrivacy Directive will affect online business in the EU and globally.